Category: EU

Google changes Privacy Policy due to GDPR

19. December 2018

As it is widely known these days, the General Data Protection Regulation (GDPR) came into force earlier this year to standardize data protection regulation in the EU. This has now lead to the fact that Google will update the company’s terms of service and privacy policy to be compliant with the GDPR.

The company started to notify the countries in the European Economic Area (EEA) and Switzerland in regard to some upcoming changes. They will come into effect on January 22, 2019.

The most important update, also legally, is the change of the data controller. The Google Ireland Limited will become the so called “data controller” who is responsible for the information of European and Swiss users . Therefore, Google Ireland Limited will be in charge to respond to request from users and to ensure compliance with the GDPR. At present, these services are provided by Google LLC, based in the U.S.

For website operators this means that they might also have to adapt their privacy policy accordingly. This is the case, for example, if Google Analytics is used.

Furthermore, there are no changes in regard to the current settings and services.

Guidelines for Binding Corporate Rules issued in Argentina

18. December 2018

The Argentine Authority of Access to Public Information (Agencia de Acceso a la Información Pública – AAIP) has recently issued its guidelines for Binding Corporate Rules (BCRs) on international data transfer. The Binding Corporate Rules are a mechanism for multinational corporations to legitimize international transfers of personal data within the group. This tool for creating a contractually binding “code of conduct” regarding international data transfers was evolved in the EU and has also been incorporated expressly in Article 47 GDPR. BCRs have been designed as a global solution to comply with the principles of data protection and thus create an adequate level of data protection (cf. Art. 44, 47 GDPR).

Like the GDPR, the Argentine Personal Data Protection Law No. 25, 326 does not permit the cross-border transfer of personal data to countries or international organizations that do not provide an adequate level of data protection. Such transfers would be allowed in accordance with Regulatory Decree No. 1558/2001 when the data subjects expressly gave their consent to the transfer; an appropriate international data transfer agreement is in place; or an adequate protection level arises from self-regulation systems.

According to Regulation 159/2018 published Dec. 7, 2018, the AAIP has now approved guidelines for such BCRs that legitimize international data transfer to countries or international organizations that have not been recognized as providing an adequate level of data protection.

These guidelines provide a framework of principles for a self-regulation mechanism reflecting the requirements and conditions imposed by the Argentine Personal Data Protection Law. The rules of the self-regulation system have to be legally binding upon all members of the corporate group as well as employees, subcontractors and third-party beneficiaries (e.g. data subjects, AAIP). Among other things, those BCRs must consider lawfulness conditions of processing, data subjects’ rights and specific protection concerning sensitive aspects. Furthermore, the subsequent cross-border data transfer to those entities providing a non-adequate level of data protection shall be restricted, data subjects shall be able to place a judicial or administrative complaint and under the BCRs must an appropriate staff data protection training has to take place with regard to data processing activities.

The AAIP shall eventually be entitled to engage in international data transfers originating from an Argentine entity as data exporter and – as third-party beneficiary – in those cases in which personal data of subjects in Argentina is affected.

However, the approval of the AAIP of BCRs that follow the requirements of Regulation No. 159/2018 is not required. In the case a group of companies would rely on BCRs that differ from those conditions though, the relevant documents need to be submitted to the AAIP for approval within the term of 30 calendar days from the date that the transfer took place.

As a valid mechanism to legitimize the international transfer of data within a group of companies, the use of BCRs is been reasonably expected to increase when it comes to in Argentina.

Spain publishes new data protection law

11. December 2018

On December 6, 2018, the new Spanish data protection law was published in the “Boletín Oficial Del Estado”. The “Ley Orgánica de Protección de Datos Personales y Garantía de los Derechos Digitales” (Organic Law on Data Protection and Digital Rights Guarantee) has been approved with 93% parliamentary support and implements the GDPR into national law.

The new law contains a number of regulations that will affect data processing operations. For example that the consent of a data subject is not enough to legitimate the processing of special categories of data if the main purpose is e.g. to identify an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or genetic data.

The law also includes a list of cases in which entities must appoint a data protection officer for example entities that operate networks and provide electronic communications services, education centres and public and private universities. All businesses have up to 10 days after (mandatory or voluntary) appointing a data protection officer to notify the Spanish Data Protection Authority of that fact.

However, one of the biggest changes is the introduction of new digital rights such as the right to universal access to the internet; the right to digital education; the right to privacy and use of digital devices in the workplace; the right to digital disconnection in the workplace; the right to privacy in front of video surveillance devices and sound recording at work; the right to digital will.

400,000€ fine for a Portuguese hospital

24. October 2018

The Portuguese data protection supervisory authority CNPD (Comissão Nacional de Protecção de Dados) recently announced that the hospital Barreiro Montijo is to pay a fine of 400,000€ for incompliancy with the EU General Data Protection Regulation (GDPR). This is the first time that a high fine has been imposed in Europe based on the new GDPR framework of fines.

According to Portuguese newspaper Público, the hospital has violated the GDPR by allowing too many users to have access to patient data in the hospital’s patient management system, even though they should only have been visible to medical doctors. In addition, too many profiles of physicians have been created in the hospital system. The CNPD discovered that 985 users with the access rights of a medical doctor were registered, although only 296 physicians were employed in 2018.

The hospital now wants to take legal action against the fine.

EDPB Publishes Opinions on National DPIA Lists

17. October 2018

Regarding the data protection impact assessment (“DPIA”) the European Data Protection Board (“EDPB”) recently published 22 Opinions on the draft lists of Supervisory Authority (“SAs”) in EU Member States. This is supposed to clarify which processing operations are subject to the requirement of conducting a DPIA under the EU General Data Protection Regulation (“GDPR”).

The European Data Protection Board is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The Supervisory Authorities will now be given two weeks to decide whether they want to amend their draft list or maintain them and explain their decision.

Article 35(4) of the GDPR states that the SAs of the EU Member States must establish, publish and communicate to the EDPB a list of processing operations that trigger the DPIA requirement under the GDPR. Several EU Members States provided their list: Austria, Belgium, Bulgaria, Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Sweden and the United Kingdom.

The national lists can vary because the SAs must take into account not only their national legislation but also the national or regional context.

To some extent, the EDPB requests that the SAs include processing activities in their list or specify additional criteria that, when combined, would satisfy the DPIA requirement. Furthermore, the EDPB requests that the SAs remove some processing activities or criteria not considered to present a high risk to individuals. The objective of the EDPB opinions is to ensure consistent application of the GDPR’s DPIA requirement and to limit inconsistencies among the EU States with respect to this requirement.

France: Intelligence agency officer caught selling sensitive police data

9. October 2018

A massive case of misuse of confidential data from security authority surveillance systems has been uncovered in France. After the French customs tracked down an illegal marketplace called “Black Hand” in June, the investigators also found data that was sold by an anonymous user called “Haurus”. Haurus sold for example confidential documents and information from national police databases.

Meanwhile the investigators gleaned the identity of the hacker with the help of specific codes attached to the data. According to French newspaper “Le Parisien”, Haurus is an officer at the “Direction générale de la sécurité intérieure” (DGSI), a French intelligence agency. The DGSI is normally in charge of counter-terrorism, countering cyber-crime and surveillance of potentially threatening groups and organisations.

According to the reports, the agent offered services in exchange for bitcoin. For example, he advertised to track the location of buyer’s gang rivals or spouses based on the telephone number or he offered to tell them, if the French police tracked them. The investigators believe that he used the resources, which the French police uses to track criminals.

Haurus was arrested at the end of September and faces up to seven years in prison and a fine up to 100.000€.

Category: Cyber security · EU
Tags: ,

Facebook may face up to $1.63 Billion Fine in Europe after Data Breach

2. October 2018

Ireland’s Data Protection Commission, the company’s lead privacy regulator in the EU, could fine Facebook Inc. up to $1.63 billion for a data breach disclosed Friday, reports the Wall Street Journal. Hackers compromised the accounts of at least 50 million users, bypassing security measures and possibly giving them full control of both profiles and linked apps.

The Commission is now requesting more information on the scale and nature of the data breach in order to find out which EU residents could be affected. Facebook announced that it would respond to follow-up questions. The incident results in the latest legal threat Facebook is facing from U.S. and European officials over its handling of user data and is a severe setback to their efforts to regain trust after a series of privacy and security breaches.

The way in which this data breach is handled by data protection authorities could mark one of the first important tests under the GDPR, which came into force in May earlier this year. The handling could provide conclusions regarding the application of breach-notifications and data-security provisions by companies in the future.
The law requires companies to notify data protection authorities of breaches within 72 hours, under threat of a maximum fine of 2% of worldwide revenue. Furthermore, under the GDPR companies that fail to safeguard their users’ data risk a maximum fine of €20 million ($23 million), or 4% of a firm’s global annual revenue for the prior year, whichever is higher. Taking the larger calculation as a basis Facebook’s maximum fine would be $1.63 billion.

EU Commission: Draft for adoption of adequacy decision for Japan

6. September 2018

The EU Commission has drafted the adequacy decision for Japan including next steps Japan has to undertake in order to ensure protection for the transfer of personal data from the EU to Japan. This includes additional safeguards Japan should apply, as well as commitments regarding access to personal data by Japanese public authorities.

Japan has committed to implement several safeguards that are necessary for the protection of the transfer of personal data before the actual adoption of the adequacy decision. These include,

  • a set of rules providing additional safeguards for transferred personal data of EU individuals (addressing inter alia the topics protection of sensitive data and the further transfer of personal data from Japan to another third country),
  • safeguards concerning the access to personal data by Japanese public authorities for criminal law enforcement and national security purposes,
  • a complaint-handling mechanism for Europeans regarding the access of Japanese authorities to their personal data.

The Commissioner for Justice, Consumers and Gender Equality, Věra Jourová, said: “We are creating the world’s largest area of safe data flows. Personal data will be able to travel safely between the EU and Japan to the benefit of both our citizens and our economies. Our partnership will promote global standards for data protection and set an example for future partnerships in this key area.”

The next step in the adoption procedure of the adequacy decision is the European Data Protection Board (EDPB), which will be asked for his opinion.

Category: EU · EU Commission · General
Tags: ,

Luxembourg publishes two new Data Protection Laws

24. August 2018

On August 1st, 2018 the Luxembourg government adopted two new data protection laws implementing certain parts of the General Data Protection Regulation (Regulation (EU) 2016/679 – the “GDPR”) and repeals the former data protection law of 2002. Draft Bill Number 7184 and 7168 were adopted and complement the GDPR, which has been in force since 25 May 2018 throughout the European Union.

The newly implemented laws don’t add any further restrictions to the processing of personal data, but rather serve as implementing provisions required under GDPR.

The new Luxembourg Data Protection Law defines the organisation, missions and competence of the Luxembourg data protection authority (Commission nationale pour la protection des données – CNPD) and provides specific requirements or exceptions. The CNPD has been granted broad investigation powers. The CNPD receives for example the right to obtain access from any controller or processor to all personal data and information necessary to verify compliance under GDPR. The CNPD is also in charge to issue warning, orders and fines to any controller or processor who is not compliant under the provisions of the GDPR.

The second new law, the Luxembourg Law on Criminal Data Processing specifically relates to the protection of individuals with regard to the processing of personal data in criminal matters and national security.

The two laws should be read together, as they jointly extend the competences of the CNPD.

Starting with the new implementations, Luxembourg companies are discharged of the administrative burden of an active notification of personal data processing to the CNPD prior to processing personal data. However, companies should be ready to be controlled by the local regulator and therefore they are obliged to keep a record of the processing of personal data that is carried out under their responsibility.

The final versions were published on August 16th, 2018 in the Official Gazette of Luxembourg.

Database operators in Sweden exempt from GDPR

With the GDPR coming into effect, enterprises in Sweden will also be subject to complying with the European principles and adhering to the GDPR.

However, new amendments and changes to the country’s constitution will be required to harmonise existing laws.

Due to the fact that Sweden emphasizes freedom of press and speech, it will initially make exemptions in cases where elements don’t comply with its Freedom of the Press Act of 1766.

As a consequence, current laws give database operators a broad freedom to gather and release personal data enabling them to collect and distribute personal information from a broad range of sources, including the national tax office.

The database operators and online publishers Eniro, Ratsit and Hitta are some of the companies that will be exempt until an expert group has drafted new and stricter legislation regarding the processing of personal data by these.

It is expected that the relevant laws will be amended in the first half of 2019.

Pages: Prev 1 2 3 4 5 6 7 8 9 10 11 Next
1 2 3 4 11